Enterprise
Data Processing Agreement
Standard GDPR Article 28 DPA template for Enterprise customers. This template covers data controller / processor responsibilities, types of data processed, security measures, sub-processors, international transfers, data subject rights, and deletion procedures.
Note: This is a template. For a counter-signed DPA on company letterhead, contact legal@scentshield.io. Enterprise customers receive an executed DPA as part of their contract package.
DATA PROCESSING AGREEMENT
This Data Processing Agreement ("DPA") forms part of the Terms of Service between
ScentShield AI Limited ("Processor") and the Customer ("Controller") and reflects
the parties' agreement on the processing of Personal Data in accordance with
Article 28 of Regulation (EU) 2016/679 (the "GDPR") and the UK GDPR as retained
under the European Union (Withdrawal) Act 2018.
================================================================================
1. DEFINITIONS
================================================================================
1.1 "Personal Data", "Data Subject", "Process/Processing", "Controller",
"Processor", and "Sub-processor" have the meanings given in Article 4 of
the GDPR.
1.2 "Customer Data" means any data, including Personal Data, that the Customer
submits to or has processed by ScentShield in connection with the Services,
including formula compositions, ingredient lists, compliance results,
generated documents, and account information.
1.3 "Services" means the ScentShield AI fragrance regulatory intelligence
platform.
1.4 "Standard Contractual Clauses" or "SCCs" means the standard contractual
clauses for the transfer of personal data to third countries pursuant to
Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
================================================================================
2. SUBJECT MATTER, NATURE, AND PURPOSE OF PROCESSING
================================================================================
2.1 Subject matter: ScentShield processes Customer Data solely for the purpose
of providing the Services to the Customer.
2.2 Nature of processing: Hosting, storing, organising, structuring, retrieving,
transmitting, classifying, and analysing Customer Data to perform automated
regulatory compliance checks and generate regulatory documents.
2.3 Purpose: To enable the Customer to check fragrance formulas against
applicable regulations (IFRA Standards, EU CLP Regulation 1272/2008, REACH
1907/2006, EU Cosmetic Regulation 1223/2009, and equivalent regulations in
supported markets) and to generate compliance documentation.
2.4 Duration: Until termination of the Services or deletion of the Customer's
account, whichever is earlier.
================================================================================
3. TYPES OF PERSONAL DATA AND CATEGORIES OF DATA SUBJECTS
================================================================================
3.1 Types of Personal Data processed:
(a) Identification data: name, email address, company name, role
(b) Authentication data: hashed passwords (via Supabase Auth)
(c) Contact data: business address, phone (if provided)
(d) Billing data: invoice records (payment card data is processed by
Stripe and never reaches ScentShield systems)
(e) Usage data: feature interaction logs, performance metrics, error logs
3.2 Customer Data that may contain Personal Data only incidentally (e.g. names
of contacts within formula notes) is processed in accordance with this DPA.
3.3 Categories of Data Subjects:
(a) Customer's employees and authorised users
(b) Customer's contacts and business partners (where their details appear
in account or billing records)
================================================================================
4. CONTROLLER AND PROCESSOR OBLIGATIONS
================================================================================
4.1 The Customer is the Controller of Customer Data and ScentShield is the
Processor.
4.2 ScentShield shall:
(a) Process Customer Data only on documented instructions from the
Customer, including with regard to transfers of Personal Data to a
third country, unless required to do so by law;
(b) Ensure that persons authorised to process Personal Data have committed
themselves to confidentiality;
(c) Take all measures required pursuant to Article 32 of the GDPR
(security of processing);
(d) Respect the conditions referred to in paragraphs 5 and 6 below for
engaging Sub-processors;
(e) Assist the Customer in fulfilling its obligations to respond to
requests from Data Subjects exercising their rights;
(f) Assist the Customer in ensuring compliance with Articles 32-36 of
the GDPR (security, breach notification, DPIAs, prior consultation);
(g) At the choice of the Customer, delete or return all Personal Data
after the end of the provision of Services, and delete existing
copies unless retention is required by law;
(h) Make available to the Customer all information necessary to demonstrate
compliance with this DPA, and allow for and contribute to audits.
================================================================================
5. SECURITY MEASURES
================================================================================
5.1 ScentShield shall implement appropriate technical and organisational
measures to ensure a level of security appropriate to the risk, including
but not limited to:
(a) Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)
(b) Database row-level security with tenant isolation
(c) Multi-factor authentication for all administrative access
(d) Principle of least privilege for staff access to production systems
(e) Regular security audits and vulnerability assessments
(f) Secure software development lifecycle practices
(g) Incident response procedures with documented escalation
(h) Regular backups with tested restoration procedures
(i) Physical security of data centre facilities (managed by sub-processors)
(j) Logging and monitoring of access to Customer Data
5.2 ScentShield will notify the Customer without undue delay (and within
72 hours where feasible) after becoming aware of a Personal Data Breach
affecting Customer Data.
================================================================================
6. SUB-PROCESSORS
================================================================================
6.1 The Customer authorises ScentShield to engage the following Sub-processors
in connection with the provision of the Services:
SUB-PROCESSOR | LOCATION | PURPOSE
---------------------|----------------|---------------------------------
Supabase Inc. | EU (Frankfurt) | Database, authentication, storage
Vercel Inc. | EU edge | Web application hosting
Stripe Payments UK | UK / EU | Payment processing
Resend (Plain Text) | EU | Transactional email delivery
Anthropic PBC | US (with SCCs) | AI services (content & support
| | agents only — never receives
| | Customer formula data)
6.2 ScentShield shall inform the Customer of any intended changes concerning
the addition or replacement of Sub-processors at least 30 days in advance,
thereby giving the Customer the opportunity to object.
6.3 Where ScentShield engages a Sub-processor, the same data protection
obligations as set out in this DPA shall be imposed on that Sub-processor
by way of a contract.
================================================================================
7. INTERNATIONAL TRANSFERS
================================================================================
7.1 Where Personal Data is transferred outside the European Economic Area or
the United Kingdom, ScentShield shall ensure such transfers are subject to
appropriate safeguards as required by Chapter V of the GDPR, including
the Standard Contractual Clauses or other approved mechanisms.
7.2 The transfer to Anthropic (US) for AI processing is governed by the
Standard Contractual Clauses (Module Two: Controller to Processor) plus
supplementary measures including end-to-end encryption and contractual
prohibition on use of Customer Data for model training.
================================================================================
8. DATA SUBJECT RIGHTS
================================================================================
8.1 ScentShield shall, taking into account the nature of the processing,
assist the Customer by appropriate technical and organisational measures,
insofar as this is possible, in fulfilling the Customer's obligations to
respond to requests for exercising the Data Subject's rights including:
(a) Right of access (Article 15)
(b) Right to rectification (Article 16)
(c) Right to erasure (Article 17)
(d) Right to restriction of processing (Article 18)
(e) Right to data portability (Article 20)
(f) Right to object (Article 21)
8.2 If a Data Subject sends a request directly to ScentShield, ScentShield
shall promptly forward the request to the Customer and shall not respond
to the Data Subject directly without the Customer's authorisation.
================================================================================
9. DELETION AND RETURN OF DATA
================================================================================
9.1 Upon termination of the Services or upon the Customer's written request,
ScentShield shall, within 30 days:
(a) Provide the Customer with the ability to export all Customer Data in
a structured, commonly used and machine-readable format;
(b) Delete all Customer Data from ScentShield's production systems;
(c) Delete all Customer Data from active backups within the standard
backup retention windows of the Sub-processors (typically 30 days);
(d) Provide written confirmation of deletion upon request.
9.2 Notwithstanding the above, ScentShield may retain Customer Data to the
extent and for such period as required by applicable law (e.g. tax records
for 7 years under UK accounting law).
================================================================================
10. AUDIT
================================================================================
10.1 ScentShield shall make available to the Customer all information necessary
to demonstrate compliance with the obligations laid down in this DPA and
allow for and contribute to audits, including inspections, conducted by
the Customer or another auditor mandated by the Customer.
10.2 The Customer shall give ScentShield reasonable advance notice (no less
than 30 days) of any audit and shall conduct such audits during normal
business hours and in a manner that does not unreasonably interfere with
ScentShield's business operations.
10.3 In lieu of an on-site audit, the Customer may request ScentShield's most
recent third-party audit reports and security certifications.
================================================================================
11. LIABILITY
================================================================================
11.1 Each party's liability arising out of or related to this DPA, whether in
contract, tort or under any other theory of liability, is subject to the
limitations of liability set out in the Terms of Service.
================================================================================
12. GOVERNING LAW
================================================================================
12.1 This DPA shall be governed by the laws of England and Wales.
================================================================================
SIGNATURES
================================================================================
ScentShield AI Limited (Processor)
Name: ___________________________________
Title: __________________________________
Date: ___________________________________
Signature: ______________________________
Customer (Controller)
Company: ________________________________
Name: ___________________________________
Title: __________________________________
Date: ___________________________________
Signature: ______________________________
================================================================================
END OF DATA PROCESSING AGREEMENT
================================================================================